SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 34 Next »

Common mistakes in creating format strings include

  • using invalid conversion specifications
  • using a length modifier on an incorrect specification
  • mismatching the argument and conversion specification type
  • using an argument of type other than int for width, precision, or the n conversion specification
  • providing insufficient arguments for all the conversion specifications in the format string
  • using invalid character classes

The following are C99-compliant conversion specifications [[ISO/IEC 9899:1999]]. Using any other specification may result in undefined behavior.

d, i, o, u, x, X, f, F, e, E, g, G, a, A, c, s, p, n, %

In addition, ISO/IEC 9945-2003 permits the following conversion specifications as synonyms for lc and ls:

C, S

Only some of the conversion specifications can correctly take a length modifier. Using a length modifier on any specification other than the following may result in undefined behavior.

d, i, o, u, x, X, a, A, e, E, f, F, g, G, c, s

Character class ranges must also be properly specified with a hyphen in between two printable characters. The two following lines are both properly specified. The first accepts any character from a to z, inclusive, while the second accepts anything that is not a to z, inclusive. 

[a-z]
[^a-z]

Note that the range is in terms of character code values, and on an EBCDIC platform it will include some nonalphabetic codes. Consequently, the isalpha() function should be used to verify the input.

Noncompliant Code Example

Mismatches between arguments and conversion specifications may result in undefined behavior. Many compilers can diagnose type mismatches in formatted output function invocations.

const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);

Compliant Solution

This compliant solution ensures that the format arguments match their respective format specifications.

const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %d): %s\n", error_type, error_msg);

Noncompliant Code Example

The width and precision arguments to sprintf() format directives must be of type int. According to C99:

A field width, or precision, or both, may be indicated by an asterisk ('*'). In this case an argument of type int supplies the field width or precision.

Passing them as any other type leads to undefined behavior. In this noncompliant code example, the width and precision are specified using parameters declared to be of size_t type. These are unsigned types that may not be the same size as int.

char *fmtint(int i, size_t width, size_t prec) {
  int n;
  char *buf;
  const char fmt[] = "%*.*d";

  /* determine the size of the buffer */
  n = snprintf(NULL, 0, fmt, width, prec, i);

  /* check for snprintf() failure */
  if (n < 0) {
    return NULL;
  }

  /* check for malloc() failure */
  buf = (char *)malloc(n + 1);
  if (NULL == buf) {
    return NULL;
  }

  /* check again for snprintf() failure */
  n = snprintf(buf, n + 1, fmt, width, prec, i);
  if (n < 0) {
    free(buf);
    buf = NULL;
  }

  return buf;
}

Compliant Solution

In this compliant solution, the field width and precision arguments to sprintf() format directives are of type int. 

char *fmtint(int i, int width, int prec) {
  int n;
  char *buf;
  const char fmt[] = "%*.*d";

  /* determine the size of the buffer */
  n = snprintf(NULL, 0, fmt, width, prec, i);

  /* check for snprintf() failure */
  if (n < 0) {
    return NULL;
  }

  /* check for malloc() failure */
  buf = (char *)malloc(n + 1);
  if (NULL == buf) {
    return NULL;
  }

  /* check again for snprintf() failure */
  n = snprintf(buf, n + 1, fmt, width, prec, i);
  if (n < 0) {
    free(buf);
    buf = NULL;
  }

  return buf;
}

Risk Assessment

In most cases, incorrectly specified format strings will result in abnormal program termination.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-C

high

unlikely

medium

P6

L2

Automated Detection

The LDRA tool suite V 7.6.0 can detect violations of this recommendation.

GCC Compiler can detect violations of this recommendation when the -Wformat flag is used.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as FIO00-CPP. Take care when creating format strings.

References

[[ISO/IEC 9899:1999]] Section 7.19.6.1, "The fprintf function"
[[MITRE 07]] CWE ID 686, "Function Call With Incorrect Argument Type"

09. Input Output (FIO)      09. Input Output (FIO)      

  • No labels